From 4aaa4f7dca7fee5e62e4554bfbe5ea92f6a4ac6e Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 31 Oct 2023 15:09:05 +0100
Subject: [PATCH] deprecate resolver-retry-interval and
 resolver-nonbackoff-tries

these options control default timing of retries in the resolver
for experimental purposes; they are not known to useful in production
environments.  they will be removed in the future; for now, we
only log a warning if they are used.
---
 CHANGES                                    |  4 ++++
 bin/tests/system/checkconf/deprecated.conf |  3 +++
 bin/tests/system/checkconf/tests.sh        |  2 ++
 doc/arm/reference.rst                      | 12 ++++++++----
 doc/misc/options                           |  8 ++++----
 doc/notes/notes-current.rst                |  3 +++
 lib/isccfg/namedconf.c                     |  6 ++++--
 7 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9401763e6f..b8a4b544cf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6296.	[func]		The "resolver-nonbackoff-tries" and
+			"resolver-retry-interval" options are deprecated;
+			a warning will be logged if they are used. [GL #4405]
+
 6295.	[bug]		Fix an assertion failure which could occur during
 			shutdown when DNSSEC validation was running. [GL #4462]
 
diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
index 15d719d6a4..abdcd6339e 100644
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -27,6 +27,9 @@ options {
 	avoid-v4-udp-ports { range 1 1023; };
 	avoid-v6-udp-ports { range 1 1023; };
 
+	resolver-nonbackoff-tries 3;
+	resolver-retry-interval 800;
+
 	dnssec-must-be-secure mustbesecure.example yes;
 };
 
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 7eced17663..d0176b6a1e 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -174,6 +174,8 @@ grep "option 'avoid-v4-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null |
 grep "option 'avoid-v6-udp-ports' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'dialup' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'heartbeat-interval' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
+grep "option 'resolver-nonbackoff-tries' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
+grep "option 'resolver-retry-interval' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "option 'dnssec-must-be-secure' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 grep "token 'port' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 3434bc70fd..1f0d253bd8 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4230,18 +4230,22 @@ Tuning
    has no effect, the value of :any:`max-cache-ttl` will be ``0`` in such case.
 
 .. namedconf:statement:: resolver-nonbackoff-tries
-   :tags: server
+   :tags: deprecated.
    :short: Specifies the number of retries before exponential backoff.
 
-   This specifies how many retries occur before exponential backoff kicks in. The
-   default is ``3``.
+   This specifies how many retries occur before exponential backoff kicks in.
+   The default is ``3``.
+
+   This option is deprecated and will be removed in a future release.
 
 .. namedconf:statement:: resolver-retry-interval
-   :tags: server, query
+   :tags: deprecated
    :short: Sets the base retry interval (in milliseconds).
 
    This sets the base retry interval in milliseconds. The default is ``800``.
 
+   This option is deprecated and will be removed in a future release.
+
 .. namedconf:statement:: sig-validity-interval
    :tags: obsolete
 
diff --git a/doc/misc/options b/doc/misc/options
index 0842327a73..b61f6b8ed2 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -247,9 +247,9 @@ options {
 	request-ixfr <boolean>;
 	request-nsid <boolean>;
 	require-server-cookie <boolean>;
-	resolver-nonbackoff-tries <integer>;
+	resolver-nonbackoff-tries <integer>; // deprecated
 	resolver-query-timeout <integer>;
-	resolver-retry-interval <integer>;
+	resolver-retry-interval <integer>; // deprecated
 	resolver-use-dns64 <boolean>;
 	response-padding { <address_match_element>; ... } block-size <integer>;
 	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
@@ -523,9 +523,9 @@ view <string> [ <class> ] {
 	request-ixfr <boolean>;
 	request-nsid <boolean>;
 	require-server-cookie <boolean>;
-	resolver-nonbackoff-tries <integer>;
+	resolver-nonbackoff-tries <integer>; // deprecated
 	resolver-query-timeout <integer>;
-	resolver-retry-interval <integer>;
+	resolver-retry-interval <integer>; // deprecated
 	resolver-use-dns64 <boolean>;
 	response-padding { <address_match_element>; ... } block-size <integer>;
 	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index e01771325b..70507cef59 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -35,6 +35,9 @@ Removed Features
 - The support for AES algorithm for DNS cookies has been removed.
   :gl:`#4421`
 
+- The ``resolver-nonbackoff-tries`` and ``resolver-retry-interval`` options
+  are now deprecated. A warning will be logged if they are used. :gl:`#4405`
+
 Feature Changes
 ~~~~~~~~~~~~~~~
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index c3f2a7d03b..fcd86dffce 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2133,9 +2133,11 @@ static cfg_clausedef_t view_clauses[] = {
 	{ "request-nsid", &cfg_type_boolean, 0 },
 	{ "request-sit", NULL, CFG_CLAUSEFLAG_ANCIENT },
 	{ "require-server-cookie", &cfg_type_boolean, 0 },
-	{ "resolver-nonbackoff-tries", &cfg_type_uint32, 0 },
+	{ "resolver-nonbackoff-tries", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "resolver-query-timeout", &cfg_type_uint32, 0 },
-	{ "resolver-retry-interval", &cfg_type_uint32, 0 },
+	{ "resolver-retry-interval", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_DEPRECATED },
 	{ "response-padding", &cfg_type_resppadding, 0 },
 	{ "response-policy", &cfg_type_rpz, 0 },
 	{ "rfc2308-type1", NULL, CFG_CLAUSEFLAG_ANCIENT },